Splunk platforms are facing a 'Y2K bug' as of Jan. 1, 2020

[German]Another brief note for administrators of Splunk platforms. Some products will facing a failure on January 1, 2020, similar to the Year 2K problem at the turn of the millennium, due to date counter overflows. But there are patches to fix this problem.

Splunk is a log, monitoring and reporting tool that indexes machine data (logs, metrics and other data from applications, servers and network devices) and makes it accessible and usable for all users via a searchable repository. This allows graphics, reports and alerts to be generated. System administrators should be able to detect and analyze incidents.

The Problem: Inconsistent Data Types

The splunk input processor uses different types of data and timestamps based on the file 'datetime.xml'. The XML file uses regular expressions to extract the information from incoming data. The problem is that the unpatched version of the file can extract years in two-digit date format until 2019. This means that the affected splunk applications will only work until December 31, 2019.

Bleeping Computer mentioned here, that the release notes for Splunk Enterprise indicates that as of January 1, 2020 unpatched splunk instances "incorrectly treat incoming data as an invalid timestamp year". The instanced could either add a timestamp with the current year or misinterpret the date and add a timestamp with the misinterpreted date. The Splunk Enterprise documentation therefore warns that an update must be installed before January 1, 2020 for the platform to correctly recognize timestamps for events with a two-digit year even after the turn of the year.

Affected Splunk products

The release notes of the manufacturer list the following Splunk products as affected by the error. Administrators should patch these products regardless of the underlying operating system.

  • Splunk Cloud
  • Splunk Light
  • Splunk Enterprise
    • Indexers, clustered oder nicht
    • Heavy forwarders
    • Search heads, clustered oder nicht
    • Search head deployers
    • Deployment servers
    • Cluster masters
    • License masters

Splunk universal forwarders are affected under the following conditions:

  • When they have been configured to process structured data, such as CSV, XML, and JSON files, using the INDEXED_EXTRACTIONS setting in props.conf
  • When they have been configured to process data locally, using the force_local_processing setting in props.conf
  • When they have been configured with a monitor input, and that input subsequently encounters an unknown file type

Splunk Cloud customers receive the fix automatically. Splunk Cloud customers are informed by support staff when the upgrade will take place. As this is a critical update, there is no way to postpone it. Further details can be found in the Release Notes if required.

This entry was posted in issue, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *